Ad Widget

Collapse

TLS handshake failed at client hello with PSK and Zabbix agent 2 crashes

Collapse
This topic has been answered.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • MXM_RNG
    Junior Member
    • Mar 2024
    • 4
    #1

    TLS handshake failed at client hello with PSK and Zabbix agent 2 crashes

    Greetings,

    I am experiencing some difficulties while trying to configure TLS communication between Zabbix server and agent 2 (linux and windows) with psk key. No proxy for the moment and Communication worked just fine with unencrypted communication.

    #Problem:

    TLS handshake does not complete and impossible to restart agent 2 (linux and windows) in order to reload new configuration. So I kill process on linux and end task in task manager in windows.
    TCP handshake is ok, but not TLS (see picture below)Same error in server log, and on agents side C source code TLS functions seem to run again and again (=> connection timed out) and nothing happen after agent-side in the logs (agent freeze)

    As you can see in the wireshark screenshot below, the TLS version seems to be 1.2 but not sure of it.


    I forced TLS 1.2 on server side (verify with openssl cipher -v) but it did not change anything.
    I verify firewall configurations and everything seems ok
    I verify in windows registry and I enabled server and client TLS 1.2
    I verify the time.
    PSK and PSK identity is matching for each agent separetly and server
    PSK is also configured correctly on the server frontend

    Similar topic on this forum have network congestion or proxy misconfiguration. I have no network congestion, no proxy and I did not see that agents freeze in any simillar topic.
    Any idea what I could do to solve this problem? New to Zabbix so any help would be great!

    #Configurations:
    Zabbix server : Debian 10 with zabbix 5.0 LTS, openssl 1.1.1n, libssl.so.1.1
    Linux Zabbix agent: Debian 12, zabbix agent 2,
    Windows Zabbix agent: windows server 2022

    zabbix_agent2.conf (linux and windows agents)
    Code:
    TLSConnect=psk
TLSAccept=psk
TLSPSKIdentity=PSK_00X
TLSPSKFile=C:\Program Files\Zabbix Agent 2\Zabbix_agent.psk # pour linux /etc/zabbix/agent.psk
    Click image for larger version Name: Capture.png Views: 2585 Size: 240.7 KB ID: 480189

    Attached Files
    Tags: None
    • Answer selected by MXM_RNG at 14-03-2024, 11:51.
      MXM_RNG
      Junior Member
      • Mar 2024
      • 4
      Hi Tim, Sorry for late response.

      I have meanwhile reinstalled windows agent2 and then it worked unexpectedly.
      During the first installation I did not configure TLS connection with psk to test in my lab with unencrypted communication. But when reinstalled I directly input the same configuration during install wizard and it worked.
      Few minutes later Linux agent 2 also start working but for this one I almost did nothing more then before... except that I configure unecrypted communication and pska at the same time to test communication and then I remove unecrypted and it worked. Not sure it was that that made the trick...

      Now I am starting the configuration with proxy, windows working fine (with reinstallation again with proxy settings). But same linux still have same error. I have not tried everything yet on this one so I will mark this topic as resolved (at least it could help for same error on windows) and create another one if necessary (hope not)!

      Thanks for your time ;-)


      UPDATE: I did the same as before with linux agent 2. Configuring TLS-PSK and unencrypted communication to restore communication then only allow PSK. It seems not working this time then I left and when I was back I looked in the agent log and saw that everything was all right. But it took a while like 30 minutes.
      2024/03/14 09:21:08.159385 [101] cannot connect to [192.168.10.105:10051]: C0D60EA21E7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1586:SSL alert number 40
      2024/03/14 09:21:08.159465 [101] active check configuration update from host [Zabbix-enpoint-02] started to fail
      ...
      2024/03/14 09:53:24.158034 [101] cannot connect to [192.168.10.105:10051]: C0C68AA11E7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1586:SSL alert number 40
      2024/03/14 09:53:24.158082 [101] active check configuration update from host [Zabbix-enpoint-02] started to fail
      2024/03/14 09:55:25.171600 [101] active check configuration update from [192.168.10.105:10051] is working again

      Passive and active checks are both working
      Last edited by MXM_RNG; 14-03-2024, 11:51.
        • Selected Answer

        Comment

        • tim.mooney
          Senior Member
          • Dec 2012
          • 1427
          #2
          You're correct that the other forum threads you found aren't relevant for your situation.

          Have you tried the "zabbix_get" example from the Zabbix Encryption documentation, to see if zabbix_get from the agent itself works? https://www.zabbix.com/documentation...re_shared_keys

          If zabbix_get from the same host works then the problem is either that you have something misconfigured on the server OR (my suspicion) the differences in server OpenSSL version and the clients means that the server can't successfully negotiate with the newer TLS implementations on the clients. You've done the right thing by making sure that TLS 1.2 is enabled on at least the Windows client, since TLS 1.2 is probably the only version that OpenSSL 1.1.1n from the server and the clients would both support. It's still possible though that they're not agreeing on ciphers or there's some other problem.

          My site isn't using zabbix_agent2 yet so I'm not very familiar with what configuration options it supports, but at least the traditional agent supports various options to override the ciphers used for either PSK or certificate-based authentication. For example, TLSCipherPSK. Does the zabbix_agentd2 support something similar in its conf?

          You're using different pre-shared keys for each client as outlined in the documentation, correct?

            Comment

            • MXM_RNG
              Junior Member
              • Mar 2024
              • 4
              #3
              Hi Tim, Sorry for late response.

              I have meanwhile reinstalled windows agent2 and then it worked unexpectedly.
              During the first installation I did not configure TLS connection with psk to test in my lab with unencrypted communication. But when reinstalled I directly input the same configuration during install wizard and it worked.
              Few minutes later Linux agent 2 also start working but for this one I almost did nothing more then before... except that I configure unecrypted communication and pska at the same time to test communication and then I remove unecrypted and it worked. Not sure it was that that made the trick...

              Now I am starting the configuration with proxy, windows working fine (with reinstallation again with proxy settings). But same linux still have same error. I have not tried everything yet on this one so I will mark this topic as resolved (at least it could help for same error on windows) and create another one if necessary (hope not)!

              Thanks for your time ;-)


              UPDATE: I did the same as before with linux agent 2. Configuring TLS-PSK and unencrypted communication to restore communication then only allow PSK. It seems not working this time then I left and when I was back I looked in the agent log and saw that everything was all right. But it took a while like 30 minutes.
              2024/03/14 09:21:08.159385 [101] cannot connect to [192.168.10.105:10051]: C0D60EA21E7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1586:SSL alert number 40
              2024/03/14 09:21:08.159465 [101] active check configuration update from host [Zabbix-enpoint-02] started to fail
              ...
              2024/03/14 09:53:24.158034 [101] cannot connect to [192.168.10.105:10051]: C0C68AA11E7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1586:SSL alert number 40
              2024/03/14 09:53:24.158082 [101] active check configuration update from host [Zabbix-enpoint-02] started to fail
              2024/03/14 09:55:25.171600 [101] active check configuration update from [192.168.10.105:10051] is working again

              Passive and active checks are both working
              Last edited by MXM_RNG; 14-03-2024, 11:51.
                • Selected Answer

                Comment

                Previous template Next
                Working...